Visualizing, Analyzing and Filtering Zeek Events · > tcpreplay -v -i feth1 SWaT_plc_test.pcapng...
Transcript of Visualizing, Analyzing and Filtering Zeek Events · > tcpreplay -v -i feth1 SWaT_plc_test.pcapng...
Visualizing, Analyzing and Filtering Zeek Events
Nick Skelsey
ZeekWeek 2019Seattle, WA
11 October, 2019
AGENDA
Motivation
State of the art
Monopticon
Related research
2
1.
2.
3.
4.
3
> ping google.com> ping 8.8.8.8> ip a> ping 192.168.1.0> dhcp -4 iface_name
*check cable**check unpaid bills**check news for regional disaster*
CONNECTIVITY ISSUES: do not suffer in silence
Graphics can have high information density.
No certifications required.
Develop intuition.
4
MOTIVATION
1.
2.
3.
5
IVRE
Lalet, Pierre, Florent Monjalet, and Camille Mougey. "IVRE, a network recon framework." ivre.rocks (2017).
RadialNet: An Interactive Network Topology Visualization Tool with Visual Auditing Support, CRITIS 2008João P. S. Medeiros, Selan R. dos Santos at Federal University of Rio Grande do Norte – UFRN
6
ZENMAP & RADIALNET
A GPLv3 application built with C++, zeek and Mangum for POSIX systems.
7
MONOPTICON
8
minicps WATER TREATMENT
> ip link add name feth1 type dummy> ip link set dev feth1 up> tcpreplay -v -i feth1 SWaT_plc_test.pcapng
Antonioli, Daniele, and Nils Ole Tippenhauer. "MiniCPS: A toolkit for security research on CPS networks." Proceedings of the First ACM workshop on cyber-physical systems-security and/or privacy. ACM, 2015.
9
Bettercap ARP Spoofing
> set arp.spoof.internal true;> set arp.spoof.targets 192.168.1.20,192.168.1.30;> set arp.spoof.full_duplex on;> arp.spoof on;
10
OBSERVATIONS
Limit scope: Ethernet and IPv4
Must be modular: Represent the OSI stack as a stack
Must be passive: offline packet analysis
Must be quick: native or web assembly
Should be extensible: zeek and bash scripts
10
1.
2.
3.
4.
5.
11
DESIGN
11
IEEE 802.1* defines ethernet
38:30:f9:61:97:6f
12
MODELING DEVICES IN A BROADCAST DOMAIN
13
MAGNUM.GRAPHICS
14
THE GRAPHICS PIPELINE
14
15
OBJECT SELECTION
1
2
3
16
OBJECT LAYOUT
16
17
LIMITATIONS
All devices addressable by their MAC.
Frames traverse switches based on:
- Destination address- The type of address- The switches (routing) tables- Structure of the spanning tree- Optimizations like 802.1aq
18
802.1 BROADCAST DOMAINS
Fedyk, D., et al. "IS-IS extensions supporting IEEE 802.1 aq shortest path bridging." Internet Engineering Task Force (IETF), RFC 6329 (2012): 2070-1721.
zeek package that passively infers the structure of an IPv4 network over Ethernet
19
AAALM
20
INFERRING NETWORK STRUCTURE
21
A HOSPITAL NETWORK
22
DRAWING A BROADCAST DOMAIN
23
PORT MANIFOLDS
24
FUTURE WORK
Extensible event monitoring
Sane packaging
L2 & L3 model to identify network security policy violations.
1.
2.
3.
Check out:
Monopticon on github or in the AUR
aaalm zeek package
25
THANK YOU
Bibliography:nskelsey.com/zweek
securenetwork.itbvtech.it